Golang code inspection tools

As a software engineer, you always try to improve the quality of your programs.
We are looking for the best software development practices and TDD techniques.

"Have no fear of perfection - you'll never reach it."
― Salvador Dalí

In this article we will explore different code inspection tools in Go ecosystem.
We will increase our code quality and engineering skills by running tools
that will do analysis on our code base and report the suspicious parts of it.

Govet

Vet does analysis on Go source code and reports suspicious constructs.
It uses heuristics that do not guarantee all reports are genuine problems.
Vet can find errors not caught by the compilers.

Vet reports two suspicious constructions. First it reports that the if-condition
is suspicious. It’s always true since cannot be both. The second warning reports
that %s is used with integer type instead of string.

Golint

Golint differs from gofmt and govet. It prints out style mistakes.
Golint is concerned with coding style. It is in use at Google, and it seeks
to match the accepted style of the open source Go project.

Golint make suggestions regarding source code. It is not perfect,
and has both false positives and false negatives. Do not consider its output as a truth.
It will never be trustworthy enough to be enforced automatically as part of a build process.

The command tool give us the following sugestion to improve our source code:

hr.go:5:6: exported type Person should have comment or be unexported
hr.go:9:1: exported function NewPerson should have comment or be unexported
hr.go:12:9: if block ends with a return statement, so drop this else and outdent its block

Neat. Isn’t it?

Errcheck

The errcheck command tools is a program that checks whether a source code has
unhandled errors.

Installation

$ go get github.com/kisielk/errcheck

Usage

The following flags can control the tool behavior (extracted from help doc):

-abspath print absolute paths to files

-asserts if true, check for ignored type assertion results

-blank if true, check for errors assigned to blank identifier. By default is false.

SafeSQL

Installation

$ go get github.com/stripe/safesql

Usage

If SafeSQL passes, your application is safe from SQL injections, however there
are many safe programs which SafeSQL will declare potentially unsafe. There are
false positives due to the fact that SafeSQL does not recursively trace down
query arguments through every function. Second there are many SQL statement to
represent compile time constants required for the static analysis algorithm.

Varcheck

Varcheck command is doing the same analysis as Structcheck but on global
variables and constants.

Installation

$ go get github.com/opennota/check/cmd/varcheck

Usage

Lets inspect the hr package again:

// -e Report exported variables and constants
$ varcheck -e hr

It finds that the Age constant is not used:

hr: /$GOPATH/src/hr/hr.go:5:7: MaxAge

Conclusion

Static single-assignment package
provides a very powerful framework for code analysis. It gives the opportunity
to build different tools that may increase the code quality and durability of
every Go program. I am looking forward to see more and more command tools
that will bring our source code to the next level.